Here is how I search vulnerabilities at Android apps

I often debug android apps for fun&profit, here is what I used at this process.

Usually what I’m looking are logic flaws or bad implementations in application’s backend. Because of that, I need to intercept application’s network requests even if they are ‘secured’ with https.

Intercepting http traffic are easy, just give your computer’s local ip address to device as a proxy and install a tool like burp, fiddler, charles etc. and you are ready to go.

But intercepting https requests can be tough (and it should be).

First of all; you need to create a root certificate and trust&install it to your favorite proxy tool (I ❤️ Charles). This is an automatic process for many proxy tools nowadays.

After that, you should trust that certificate in your mobile device (in our case, your emulator). When you completed this steps you should be able to see any application’s https traffic in theory. But application developers protect their API’s with a method called certificate pinning which is basically checking the certificate of https traffic before trusting it.

My setup for this process

I’m using Genymotion’s android emulator with gapps + xposed framework + inspeckage installed. Also in order to intercept device’s network requests, I’m using Charles Proxy. But setup process for emulator can be challenging, that’s why I created an image of my current setup and you can easily import and start playing with it (please note that, you still have to create your own root certificate and trust it in the device).

Here is the download link (1.8GB) of my emulator’s image. You should import it with VirtualBox and start it via Genymotion (device pin code is 1111).

Please make sure re-initializing the mac address

Screenshot from emulator